0:00:02.580,0:00:03.110
[Unofficial Transcript]
0:00:03.110,0:00:05.509
[Mr. Chaffetz] The subcommittee will come
to order.
0:00:05.509,0:00:09.770
Good afternoon and welcome to today's hearing,
Cybersecurity: Assessing the Immediate Threat
0:00:09.770,0:00:11.240
to the United States.
0:00:11.240,0:00:15.370
We appreciate your patience as we had votes
earlier. I know we are getting off to a late
0:00:15.370,0:00:20.270
start, but I appreciate you all being here
and participating.
0:00:20.270,0:00:23.880
Welcome, Ranking Member Tierney and members
of the subcommittee. I appreciate everybody
0:00:23.880,0:00:24.960
being here today.
0:00:24.960,0:00:28.810
Today's hearing is designed to act as a prelude
to the full committee hearing which will be
0:00:28.810,0:00:35.810
conducted a week later on June 1, a short
time from now. It is entitled: Cybersecurity:
0:00:35.920,0:00:40.479
Assessing the Immediate Threat to the United
States.
0:00:40.479,0:00:44.729
During today's hearing, the Subcommittee was
scheduled to receive testimony from the Administration,
0:00:44.729,0:00:49.780
industry and civilian cyber threat experts,
all of whom will likely state that cyber-related
0:00:49.780,0:00:53.400
intrusions pose one of the greatest threats
to our national security.
0:00:53.400,0:00:58.150
The intent is to obtain detailed information
from various sources and from various perspectives
0:00:58.150,0:01:03.750
as to what the current threat actually entails
so the committee can later delve more deeply
0:01:03.750,0:01:07.380
into how effective the Nation has been in
confronting the immediate cyber threat as
0:01:07.380,0:01:13.330
well as building defenses which safeguard
us from what appears to be a daunting future
0:01:13.330,0:01:14.670
cyber-security environment.
0:01:14.670,0:01:18.310
Given the unusual nature of the cyber threat,
it cannot be addressed solely by using the
0:01:18.310,0:01:22.360
traditional national security apparatus. In
short, the Federal Government is currently
0:01:22.360,0:01:27.100
incapable of securing the Nation against cyber
threats on its own and must embrace the broad,
0:01:27.100,0:01:29.600
transparent involvement of non-government
entities.
0:01:29.600,0:01:34.140
Like countries, approximately 85 percent of
the Nation's critical infrastructure is owned
0:01:34.140,0:01:38.950
by the private sector -- many of which are
small businesses. Because the Nation relies
0:01:38.950,0:01:42.780
so heavily on private industry to protect
this infrastructure, trusted partnerships
0:01:42.780,0:01:46.380
between the government and the private sector
must also be a priority.
0:01:46.380,0:01:51.450
In the words of the President, "Cybersecurity
is a challenge that we as a government or
0:01:51.450,0:01:56.800
as a country are not adequately prepared to
counter.'' In addition, in a recent interview,
0:01:56.800,0:02:01.200
Howard A. Schmidt, the U.S. Cybersecurity
Coordinator, emphasized the critical nature
0:02:01.200,0:02:05.890
of public-private partnerships as it relates
to cybersecurity.
0:02:05.890,0:02:10.780
Unfortunately, Mr. Schmidt refused to testify
today. I truly do find this unfortunate because
0:02:10.780,0:02:15.300
I believe he should be here in this important
discussion. I am deeply concerned that Mr.
0:02:15.300,0:02:19.390
Schmidt, as the Executive Branch's Cybersecurity
Coordinator, charged with the responsibility
0:02:19.390,0:02:25.130
for "orchestrating the many important cybersecurity
activities across the government,'' believes
0:02:25.130,0:02:29.640
that his management of this critical issue
is exempt from congressional oversight. That
0:02:29.640,0:02:33.200
is certainly inconsistent with what I have
heard the Administration and this President
0:02:33.200,0:02:36.640
say about the openness and transparency of
the Administration.
0:02:36.640,0:02:42.290
In his absence, the Administration has sent
us an expert from the Department of Homeland
0:02:42.290,0:02:45.630
Security. There was quite a debate whether
the Administration would allow him to sit
0:02:45.630,0:02:49.810
on the same panel as the industry experts
sitting in front of us today. I am glad the
0:02:49.810,0:02:54.069
issue was resolved, no matter a few hours
ago and we will now be able to receive testimony
0:02:54.069,0:02:59.349
from both the public and private perspective
together on one panel. In the future, I hope
0:02:59.349,0:03:01.290
this is not so difficult.
0:03:01.290,0:03:05.660
That said, I must stress my sincere disappointment
in the number of days waste debating the need
0:03:05.660,0:03:11.110
to hear testimony from government and private
witnesses alike at the same time on the same
0:03:11.110,0:03:16.300
panel in a manner that allows members to most
effectively oversee this critical public/private
0:03:16.300,0:03:16.550
partnership.
0:03:16.300,0:03:21.650
I believe it is critical that while we focus
on the cyber threat, we also keep in mind
0:03:21.650,0:03:26.069
the need to develop well coordinated, strategic
cybersecurity partnerships with the private
0:03:26.069,0:03:31.020
sector in order to confront the threat. The
Administration has made repeated public statements
0:03:31.020,0:03:35.580
about the importance of this partnership.
Even the White House-directed cyberspace policy
0:03:35.580,0:03:42.069
review concluded that the United States cannot
succeed in securing cyberspace if it works
0:03:42.069,0:03:46.819
in isolation and should enhance its partnerships
with the private sector.
0:03:46.819,0:03:51.010
Cybersecurity experts agree that given the
likely national security impact of cyber attacks
0:03:51.010,0:03:56.069
on the economy, our critical infrastructure
as transportation, energy and communications,
0:03:56.069,0:04:00.290
both private and public sectors must work
together closely and in a very transparent
0:04:00.290,0:04:07.120
way. This would also appear to be in line
with the President's stated commitment to
0:04:07.120,0:04:13.019
"create an unprecedented level of openness
in government'' and "to establish a system
0:04:13.019,0:04:15.989
of transparency, public participation and
collaboration.''
0:04:15.989,0:04:20.989
The ever changing face of the cyber threat
means that the authorities and capabilities
0:04:20.989,0:04:24.370
needed to confront the threat will likely
need to be changed or updated on a regular
0:04:24.370,0:04:29.020
basis. This is the reason why Congress must
be as attentive to the threat as any other
0:04:29.020,0:04:34.550
part of the government. I do not believe anyone
knowledgeable of cyber security would deny
0:04:34.550,0:04:39.050
that cyber threat is a major national security
issue for the United States.
0:04:39.050,0:04:43.969
The National Security Strategy published in
May 2010 highlights that cyber security threats
0:04:43.969,0:04:48.039
represent one of the most serious national
security, public safety and economic challenges
0:04:48.039,0:04:53.129
we face as a Nation. Therefore, a national
dialog in securing the Nation's digital infrastructure
0:04:53.129,0:04:55.779
must happen now and continue indefinitely.
0:04:55.779,0:05:01.460
It is my sincere hope that this dialog can
include many segments of society and can be
0:05:01.460,0:05:06.749
done in a nonpartisan way. It is my hope that
we as a Nation bring to bear against this
0:05:06.749,0:05:10.990
threat all expertise that resides within the
country. Strangely, we are faced with the
0:05:10.990,0:05:15.490
critical national security threat to which
the expertise needed to confront it does not
0:05:15.490,0:05:18.150
necessarily reside solely in the Federal Government
but also in the private sector.
0:05:18.150,0:05:24.779
A recent research project conducted by McAfee
and the Center for Strategic and International
0:05:24.779,0:05:29.990
Studies looked at the threats to power grids,
oil, gas and water across 14 countries. It
0:05:29.990,0:05:34.650
concluded that there had been dramatic increases
in cyber attacks against critical infrastructure
0:05:34.650,0:05:40.879
with as much as 80 percent of the companies
experiencing "large scale attacks.''
0:05:40.879,0:05:43.839
According to the project report, nearly 30
percent of the companies believed they were
0:05:43.839,0:05:48.979
unprepared for the attack and more than 40
percent expected a major cyber attack within
0:05:48.979,0:05:50.550
the next 12 months.
0:05:50.550,0:05:54.919
Also, according to an Office of Management
and Budget report, the number of reported
0:05:54.919,0:06:01.919
cyber incidents affecting U.S. federal agencies
shot up 39 percent in 2010, approximately
0:06:03.259,0:06:10.259
41,776 reported attacks, up from roughly 30,000
the year before.
0:06:10.460,0:06:14.289
I am positive the witnesses will elaborate
on the threat and I look forward to hearing
0:06:14.289,0:06:14.849
from the panel.
0:06:14.849,0:06:17.729
[Mr. Chaffetz] I will now recognize the distinguished
Ranking Member, the gentleman from Massachusetts,
0:06:17.729,0:06:18.099
Mr. Tierney, for his opening statement.
0:06:18.099,0:06:23.039
[Mr. Tierney] Thank you, Chairman Chaffetz,
for convening this hearing today. Thank you
0:06:23.039,0:06:30.039
to our witnesses for agreeing to testify.
0:06:31.930,0:06:38.930
I particularly want to thank the Administration's
witnesses here today, Sean McGurk, the Director
0:06:39.449,0:06:40.619
of the Control Systems Security Program at
the Department of Homeland Security's National
0:06:40.619,0:06:41.080
Cyber Security Division. Mr. McGurk has agreed
to testify before the Subcommittee on very
0:06:41.080,0:06:45.460
short notice and during a week in which the
Department of Homeland Security will testify
0:06:45.460,0:06:50.729
at five different cybersecurity hearings,
including a similar hearing held this morning.
0:06:50.729,0:06:55.740
Next week, the full committee is going to
hold another hearing on cybersecurity featuring
0:06:55.740,0:06:59.429
four different senior-level Administration
witnesses to discuss the Administration's
0:06:59.429,0:07:04.199
comprehensive legislative proposal to improve
cybersecurity with a focus on our Nation's
0:07:04.199,0:07:07.830
critical infrastructure and the Federal Government's
own networks and computers.
0:07:07.830,0:07:14.429
The proposal was drafted in response to numerous
legislative proposals introduced in the last
0:07:14.429,0:07:19.710
Congress and specific requests from congressional
leadership. That White House legislation won't
0:07:19.710,0:07:24.339
be the focus of today's hearing, but is a
much needed starting point for very important
0:07:24.339,0:07:24.889
conversation.
0:07:24.889,0:07:30.399
As someone who doesn't purport to be a techie
at all, I can tell you I have a great deal
0:07:30.399,0:07:36.319
of concern about the exposure we have in this
area, particularly having served a number
0:07:36.319,0:07:40.939
of years on the Intelligence Committee and
where that conversation goes should cause
0:07:40.939,0:07:44.580
some sleepless nights for a lot of people.
0:07:44.580,0:07:49.209
As computer technology has advanced, federal
agencies and our Nation's critical infrastructure,
0:07:49.209,0:07:53.749
such as power distribution, water supply,
telecommunications and emergency services,
0:07:53.749,0:08:00.080
have become increasingly dependent on computerized
information systems to carry out their operations
0:08:00.080,0:08:06.709
and to process, maintain and report essential
information.
0:08:06.709,0:08:11.389
Public and private organizations increasingly
rely on computer systems to transfer money
0:08:11.389,0:08:17.089
and sensitive and proprietary information,
conduct operations and deliver services. The
0:08:17.089,0:08:21.959
interconnected nature of these systems creates
risks for our national security, economic
0:08:21.959,0:08:24.599
security and public safety.
0:08:24.599,0:08:31.599
Just last month, in Massachusetts, a virus
called "W32.QAKBOT'' was discovered on computers
0:08:32.690,0:08:39.690
at the Executive Office of Labor and Workforce
Development. As a result, the Labor Department
0:08:41.000,0:08:46.790
said as many as 210,000 unemployed workers
may have had data compromised, including their
0:08:46.790,0:08:50.940
names, social security numbers, employer identification
numbers, addresses and email addresses.
0:08:50.940,0:08:55.950
Although the virus was originally discovered
back in April, it wasn't until last week that
0:08:55.950,0:08:59.620
the Labor Department realized the virus had
survived its early eradication efforts and
0:08:59.620,0:09:04.680
results in a data breach. This specific example
happened at a State government agency, but
0:09:04.680,0:09:09.630
also highlights the potential threat to Americans
across the country if our Federal computer
0:09:09.630,0:09:12.060
networks are not adequately protected.
0:09:12.060,0:09:14.970
As many commentators have documents, cyber
attacks on our Federal IT systems are on the
0:09:14.970,0:09:20.030
rise. The Chairman just went through the numbers
on that. It is becoming increasingly clear
0:09:20.030,0:09:25.120
that current efforts to counteract the attacks
are woefully insufficient.
0:09:25.120,0:09:30.200
The connectivity between information systems,
the Internet and other infrastructures also
0:09:30.200,0:09:35.270
creates opportunities for attackers to disrupt
telecommunications, electrical power and other
0:09:35.270,0:09:40.010
critical services. Some industry sectors are
so vital to the Nation that their incapacity
0:09:40.010,0:09:45.230
or destruction would have a debilitating impact
on national security, national economic security
0:09:45.230,0:09:47.610
or public health and safety.
0:09:47.610,0:09:51.350
Federal law enforcement and intelligence agencies
have identified multiple sources of threats
0:09:51.350,0:09:56.740
to our information systems and critical infrastructure.
These threats include foreign nations engaged
0:09:56.740,0:10:02.900
in espionage and information warfare, criminals,
hackers, disgruntled employees and contractors.
0:10:02.900,0:10:05.960
In one recent example, it has been alleged
that the Chinese Government spread a virus
0:10:05.960,0:10:09.940
that attacked Google and at least 80 other
United States companies.
0:10:09.940,0:10:14.500
Not all threats to Federal cybersecurity are
external. In June 2010, Wikileaks released
0:10:14.500,0:10:19.290
thousands of classified Department of State
and Department of Defense documents. Immediately
0:10:19.290,0:10:22.270
following the release of those documents,
the Secretary of Defense commissioned two
0:10:22.270,0:10:27.310
internal Department of Defense studies to
evaluate any weaknesses in their systems.
0:10:27.310,0:10:31.250
The studies found that the Department's policies
for dealing with an internal security threat
0:10:31.250,0:10:35.930
were inadequate and that the Department had
limited capability to detect and monitor anomalous
0:10:35.930,0:10:39.160
behavior on its classified computer networks.
0:10:39.160,0:10:43.080
These examples imply underline the need for
a comprehensive legislative approach that
0:10:43.080,0:10:47.120
will protect our national security and the
health and safety of the American people.
0:10:47.120,0:10:53.120
We have an obligation to ensure that the government's
IT systems are secure and that any critical
0:10:53.120,0:10:57.050
infrastructure is protected from the threat
of a cyber attack. The failure to properly
0:10:57.050,0:10:59.330
secure these networks could have dire consequences.
0:10:59.330,0:11:03.660
I look forward to this hearing and learning
more about the threat landscape and the challenges
0:11:03.660,0:11:05.160
we face in addressing this growing problem.
0:11:05.160,0:11:08.980
Again, I thank our witnesses and the Chairman
for bringing this hearing.
0:11:08.980,0:11:10.250
[Mr. Chaffetz] Thank you.
0:11:10.250,0:11:13.200
Members will have seven days to submit opening
statements for the record.
0:11:13.200,0:11:15.910
We will now recognize the panel.
0:11:15.910,0:11:20.680
Mr. Sean McGurk is Director, National Cybersecurity
& Communications Integration Center, U.S.
0:11:20.680,0:11:25.680
Department of Homeland Security. Mr. Phillip
Bond is the President of TechAmerica. Mr.
0:11:25.680,0:11:31.310
James A. Lewis is Director, Technology and
Public Policy Program, Center for Strategic
0:11:31.310,0:11:36.560
and International Studies. Mr. Dean Turner
is Director, Global Intelligence Network Symantec
0:11:36.560,0:11:37.220
Security Response.
0:11:37.220,0:11:42.420
Gentlemen, we appreciate your being here.
I would like to recognize each of you for
0:11:42.420,0:11:47.380
five minutes for an opening statement. If
you will try to keep it to five minutes, any
0:11:47.380,0:11:52.060
additional information you want to provide
we will submit to the record.
0:11:52.060,0:11:56.930
Pursuant to committee rule, all witnesses
must be sworn before they testify. Please
0:11:56.930,0:12:02.520
rise and raise your right hand.
0:12:02.520,0:12:07.780
Do you solemnly swear or affirm that the testimony
you are about to give will be the truth, the
0:12:07.780,0:12:08.920
whole truth, and nothing but the truth?
0:12:08.920,0:12:09.170
[Witnesses respond in the affirmative.]
0:12:09.100,0:12:15.840
[Mr. Chaffetz] Let the record reflect that
the witnesses answered in the affirmative.
0:12:15.840,0:12:19.310
We will now recognize Mr. McGurk for five
minutes.
0:12:19.310,0:12:24.220
[Mr. McGurk] Thank you, Chairman Chaffetz,
Ranking Member Tierney and distinguished members
0:12:24.220,0:12:27.960
of the committee. My name is Sean McGurk.
I am the Director for the National Cybersecurity
0:12:27.960,0:12:32.670
& Communications Integration Center, henceforth
known as NCCIC. Thank you for inviting me
0:12:32.670,0:12:37.230
today to discuss this important issue along
with this distinguished panel of experts on
0:12:37.230,0:12:39.750
cyber threats and the impact on critical infrastructure.
0:12:39.750,0:12:43.240
As both the Chairman and Ranking Member have
already identified, sensitive information
0:12:43.240,0:12:47.980
is routinely stolen from both government and
private sector networks. Last year, we saw
0:12:47.980,0:12:52.500
an increase in the threat as a result of not
what was being taken from networks but what
0:12:52.500,0:12:57.210
was being left behind in the result of what
was known as Stuxnet.
0:12:57.210,0:13:01.160
Successful cyber attacks could potentially
result in physical damage and loss of life.
0:13:01.160,0:13:06.570
There are many challenges in the current landscape,
strong and rapidly expanding capabilities,
0:13:06.570,0:13:11.530
lack of comprehensive threat and vulnerability
awareness and our information infrastructure
0:13:11.530,0:13:15.570
is dependent upon its continual availability
for our way of life.
0:13:15.570,0:13:20.240
The cyber environment is not homogenous under
a single department or agency or the private
0:13:20.240,0:13:24.980
sector. We recognize that cybersecurity is
a team sport. Government does not have all
0:13:24.980,0:13:29.970
the answers, so we must work closely with
the private sector to provide solutions. There
0:13:29.970,0:13:35.060
is no one size fits all and there is no magical
line to protect the cyber domain. It is about
0:13:35.060,0:13:39.100
information sharing and it is about sharing
knowledge collectively. Knowledge is only
0:13:39.100,0:13:44.330
power when it is shared. We must leverage
our expertise and our access to information
0:13:44.330,0:13:49.060
along with industry's specific needs, capabilities
and timelines.
0:13:49.060,0:13:55.620
Each partner has a significant role to play
and a unique capability in this environment.
0:13:55.620,0:14:00.710
In my 34 years of experience, with over 28
years serving in the United States Navy, you
0:14:00.710,0:14:06.990
learn that everyone has an ability to contribute.
The mission in cyber is many-fold and our
0:14:06.990,0:14:08.350
goals are clear.
0:14:08.350,0:14:12.590
In the law enforcement environment, they work
closely with the other agencies to identify
0:14:12.590,0:14:18.420
and prosecute cyber intrusions. The intelligence
and military community work to attribute,
0:14:18.420,0:14:23.790
to defend and to pursue those individuals.
DHS, along with the private sector, including
0:14:23.790,0:14:28.670
the financial services sector, the energy
sector, communications and others, work to
0:14:28.670,0:14:35.190
prepare, prevent, response, recovery and restore.
Coordinating the national response to domestic
0:14:35.190,0:14:41.090
emergencies is more of a matter of what and
how and not necessarily who and why until
0:14:41.090,0:14:42.230
much later.
0:14:42.230,0:14:46.720
To that end, I would like to emphasize that
my responsibilities from an operational standpoint
0:14:46.720,0:14:52.029
are focused on preventing and resolving attacks,
not attributing the source of those threats.
0:14:52.029,0:14:55.980
I would be willing to take any questions in
the future regarding the cyber threats and
0:14:55.980,0:15:01.600
the cyber capabilities of our country with
the committee under an appropriately classified
0:15:01.600,0:15:04.870
setting with the available interagency representatives.
0:15:04.870,0:15:10.970
NCCIC or the National Cybersecurity & Communications
Integration Center, works closely with government
0:15:10.970,0:15:16.040
and all levels of the private sector to coordinate
the integrated and unified response to cyber
0:15:16.040,0:15:20.980
communications incidents. Sponsoring security
clearances for the private sector enables
0:15:20.980,0:15:26.270
us to have our industry partners on the watch
floor in a classified environment looking
0:15:26.270,0:15:31.450
at actionable intelligence and providing information
to asset owners and operators in near real
0:15:31.450,0:15:32.960
time.
0:15:32.960,0:15:36.630
The DHS components have all been integrated
into the NCCIC along with representatives
0:15:36.630,0:15:42.380
from other agencies such as the National Security
Agency, U.S. Cyber Command, the FBI, the U.S.
0:15:42.380,0:15:47.720
Secret Service, and representatives from the
intelligence community at large. In addition,
0:15:47.720,0:15:52.339
we have private sector representatives sitting
on the watch floor from the communications
0:15:52.339,0:15:58.150
sector, the IT sector, the financial services
sector and the energy sector. Additionally,
0:15:58.150,0:16:02.640
we have representatives from State, local,
tribal and territorial governments represented
0:16:02.640,0:16:06.190
by the Multistate Information Sharing and
Analysis Center.
0:16:06.190,0:16:11.560
In conclusion, within our current legal authorities,
we continue to engage, collaborate and provide
0:16:11.560,0:16:17.279
analysis of vulnerability and mitigation assistance
to the private sector. We have experience
0:16:17.279,0:16:22.120
and expertise in dealing with the private
sector in planning steady state and crisis
0:16:22.120,0:16:27.339
scenarios. We have deployed numerous incident
response and assessment teams that enable
0:16:27.339,0:16:31.810
us to prevent, respond, recover and restore
from cyber incidents.
0:16:31.810,0:16:35.970
Finally, we work closely with the private
sector and our interagency partners in law
0:16:35.970,0:16:40.630
enforcement and in the intelligence community
to provide the full complement and capabilities
0:16:40.630,0:16:46.050
of the Federal Government for the private
sector in response to a cyber incident.
0:16:46.050,0:16:49.810
Chairman Chaffetz, Ranking Member Tierney
and distinguished members of the panel, let
0:16:49.810,0:16:54.300
me conclude by reiterating that I look forward
to exploring opportunities to advance this
0:16:54.300,0:16:58.720
mission in collaboration with the Subcommittee
and my colleagues in the public and private
0:16:58.720,0:16:59.350
sector.
0:16:59.350,0:17:03.900
Also, if the committee has any questions regarding
the Administration's legislative proposal,
0:17:03.900,0:17:07.610
I will be happy to defer those issues to the
policy representatives testifying before the
0:17:07.610,0:17:09.240
full committee next week.
0:17:09.240,0:17:12.939
Thank you again for this opportunity to testify
and I would be happy to answer any of your
0:17:12.939,0:17:13.329
questions.
0:17:13.329,0:17:15.519
[Mr. Chaffetz] Thank you.
0:17:15.519,0:17:17.579
Mr. Bond, you are now recognized for five
minutes.
0:17:17.579,0:17:20.639
[Mr. Bond] Thank you, Mr. Chairman, Ranking
Member Tierney, members of the committee.
0:17:20.639,0:17:24.619
I am honored to be here on behalf of TechAmerica,
the largest industry trade association in
0:17:24.619,0:17:30.009
the U.S. with some 1,000 member companies.
I will offer just a few thoughts on the challenge
0:17:30.009,0:17:32.690
in cyber and the policy response we need.
0:17:32.690,0:17:39.369
First, I would observe that cyber criminals
respond rapidly; they are creative. In 2010,
0:17:39.369,0:17:46.289
McAfee Labs identified more than 20 million
new pieces of malware globally. A 2011 online
0:17:46.289,0:17:53.110
fraud report from RSA, the security division
of EMC, found that the U.S has consistently
0:17:53.110,0:17:59.559
hosted and been the target of a majority of
the worldwide cyber attacks.
0:17:59.559,0:18:04.649
Economic impact is serious. It is about $6
million a day when a corporation site is down,
0:18:04.649,0:18:11.649
on average, and worldwide, the economy loses
some $86 billion a year due to cyber attacks.
0:18:13.759,0:18:19.249
Protecting our networks, as the Chair has
observed, is a public/private shared responsibility.
0:18:19.249,0:18:21.820
Neither one of us can do it alone.
0:18:21.820,0:18:26.179
The private sector's responsibility is to
innovate and operate its own infrastructure
0:18:26.179,0:18:32.360
in a safe way. The government has an obligation
to share timely and accurate information so
0:18:32.360,0:18:37.720
that the private sector can secure itself
and turn around and help to secure the government.
0:18:37.720,0:18:41.720
I will defer to our witness from Symantec
on a little bit more technical descriptions
0:18:41.720,0:18:47.559
of some of the threats. I would just underscore
this. The range of threat actors -- especially
0:18:47.559,0:18:51.720
right now -- including advanced, persistent
threats, APTs -- you will hear more about
0:18:51.720,0:18:55.529
that -- are going directly after the end user.
0:18:55.529,0:19:00.950
They attempt to trick them into downloading
malware or divulging sensitive information.
0:19:00.950,0:19:05.759
Again, it is the actual user being targeted,
not the mechanical system, the software or
0:19:05.759,0:19:12.759
whatever. It is going after human error. As
criminals probe for a soft spot in a system,
0:19:13.379,0:19:19.499
they are also probing now the individuals
who connect to that network.
0:19:19.499,0:19:24.730
With the increased reliance on all IT devices
now, we see the great shift to mobile devices
0:19:24.730,0:19:30.350
and that too will be an opportunity for cyber
criminals. Applications many times are downloaded
0:19:30.350,0:19:36.730
by users and not always being properly vetted.
0:19:36.730,0:19:43.519
We would submit that the policymakers and
the industry as well and the government need
0:19:43.519,0:19:50.259
to view security as an absolute basic, not
to be added on after but to be built-in from
0:19:50.259,0:19:56.110
the ground up. I would observe many companies
are doing exactly that. We need everybody
0:19:56.110,0:19:57.369
to do that.
0:19:57.369,0:20:04.369
I want to spend a couple of my remaining minutes
on some thoughts for you to consider as you
0:20:04.619,0:20:09.639
draft legislation, but let me break here to
underscore something that needs to be said.
0:20:09.639,0:20:14.730
Technology and innovation are a huge net positive
for the U.S. economy and for government, for
0:20:14.730,0:20:19.639
government service as well. They are our key
to national security, the war fighter has
0:20:19.639,0:20:23.419
an advantage, the key to homeland security,
the key to economic security, high paying
0:20:23.419,0:20:29.279
jobs, where we need to be as an economy, but
with those advantages there also have been
0:20:29.279,0:20:33.779
some down sides. That is what we are attempting
to talk about today.
0:20:33.779,0:20:39.129
Please consider, first, in policy, Congress
should do no harm. Do not undermine innovation;
0:20:39.129,0:20:45.239
it is our advantage. One size fits all will
not work. Second, government should promote
0:20:45.239,0:20:51.220
an outcome-based, layered security approach.
Government should develop processes to manage
0:20:51.220,0:20:58.220
and measure performance associated with real
security. Third, government should adopt a
0:20:58.340,0:21:03.509
risk-based approach to our Nation's infrastructure.
That means critical infrastructure should
0:21:03.509,0:21:08.220
be defined to include only that which is of
the utmost importance to national security
0:21:08.220,0:21:11.450
and then truly work to secure it.
0:21:11.450,0:21:15.190
Fourth, we believe government can provide
incentives to encourage industry to invest
0:21:15.190,0:21:22.190
in best practices in security, for example,
safe harbor, from data breach notification,
0:21:22.860,0:21:28.239
when an organization does what it should in
advance of a breach incident.
0:21:28.239,0:21:34.769
Fifth, Congress should update our government's
federal information security practices and
0:21:34.769,0:21:41.210
laws to perform in a more nimble environment,
so we strongly support updating FISMA. I know
0:21:41.210,0:21:43.360
the committee knows about that.
0:21:43.360,0:21:46.960
Finally, if industry is to act at the behest
of government, it is necessary that there
0:21:46.960,0:21:52.450
be clear liability protections, so if you
do what you should do or at the government's
0:21:52.450,0:21:57.789
behest, you should also be protected from
unintended consequences or liabilities.
0:21:57.789,0:22:01.279
Again, on behalf of the industry, thank you
for holding this hearing. We look forward
0:22:01.279,0:22:06.059
to doing all that we can to be a part of the
public/private partnership to find a solution
0:22:06.059,0:22:07.850
and maintain our national advantage in innovation.
0:22:07.850,0:22:10.929
[Mr. Chaffetz] Thank you.
0:22:10.929,0:22:13.259
Mr. Lewis, you are recognized for five minutes.
0:22:13.259,0:22:18.590
[Mr. Lewis] Thank you, Mr. Chairman. I thank
the committee for the opportunity to testify.
0:22:18.590,0:22:23.639
I am really impressed with the energy that
the committee is bringing to this issue. It
0:22:23.639,0:22:25.360
is something we need.
0:22:25.360,0:22:29.440
We depend, as a Nation, on the Internet, but
it is not secure and this gives criminals
0:22:29.440,0:22:35.440
and foreign opponents real opportunity to
damage the United States. Cyber threats fall
0:22:35.440,0:22:41.039
into two categories: high end attacks that
cause damage, destruction or casualties and
0:22:41.039,0:22:44.700
threats from cyber crime and cyber espionage.
0:22:44.700,0:22:49.809
Five countries, including Russia and China,
can launch high end cyber attacks. Another
0:22:49.809,0:22:56.769
30 countries are developing these capabilities.
States use skilled proxies, cyber criminals
0:22:56.769,0:23:03.389
and hackers to help them. Cyber attacks could
destroy critical infrastructure or disrupt
0:23:03.389,0:23:10.389
essential networks and services. At the moment,
however, no nation is likely to attack the
0:23:11.429,0:23:14.789
United States because they fear retaliation.
0:23:14.789,0:23:21.789
Terrorists do not yet have cyber attack capabilities,
nor do dangerous nations like Iran and North
0:23:21.999,0:23:27.950
Korea. However, they are eagerly pursuing
these cyber capabilities. We do not know how
0:23:27.950,0:23:33.249
close they are to acquiring them, but the
moment they acquire them, we can expect to
0:23:33.249,0:23:35.480
see damaging cyber attacks.
0:23:35.480,0:23:40.539
The immediate threat to the national interest
comes from crime and espionage. The Internet,
0:23:40.539,0:23:45.769
with all its weaknesses, created a golden
age for espionage and the U.S. has been the
0:23:45.769,0:23:52.159
chief victim. We have lost military technology,
intellectual property for high tech companies,
0:23:52.159,0:23:58.739
oil exploration data and confidential business
information. Banks suffer million dollar losses
0:23:58.739,0:24:00.109
almost every month.
0:24:00.109,0:24:05.629
None of this attracts much attention and some
companies prefer to conceal their losses and
0:24:05.629,0:24:11.070
in some cases, companies may not even know
they have been hit. Our estimates of the damages,
0:24:11.070,0:24:17.889
as you heard, are in the billions of dollars.
Weak cyber security damages our economic competitiveness
0:24:17.889,0:24:20.109
and technological leadership.
0:24:20.109,0:24:24.609
What can we do about this? There is certainly
a new energy in Washington about approaching
0:24:24.609,0:24:30.119
this proper, which is great. First, we need
to accept that we need a new approach that
0:24:30.119,0:24:36.009
puts cyber security as a major, national security
problem. The most dangerous threats in cyberspace
0:24:36.009,0:24:41.429
come from foreign military and foreign intelligence
agencies.
0:24:41.429,0:24:48.059
Second, this new approach needs to combine
trade policy, law enforcement, military strategy
0:24:48.059,0:24:53.690
and critical infrastructure protection. For
critical infrastructure, this means that DHS
0:24:53.690,0:24:58.119
must be able to mandate risk-based performance
standards. Public/private partnerships are
0:24:58.119,0:25:05.119
an important part of this. It would help,
however, to differentiate where the private
0:25:06.389,0:25:10.389
sector is strongest in things like information
sharing and innovation and where government
0:25:10.389,0:25:12.190
action is needed.
0:25:12.190,0:25:19.190
The immediate question is whether we can improve
our defenses before there is a damaging attack.
0:25:19.529,0:25:24.859
Most of the experts I know believe this is
not possible, that America will only act after
0:25:24.859,0:25:29.730
a crisis. I believe that the work of this
committee and others can help us avoid that
0:25:29.730,0:25:35.230
fate and let us do what is necessary to improve
public safety and national security in cyber
0:25:35.230,0:25:36.669
space.
0:25:36.669,0:25:40.190
Thank you for the opportunity to testify and
I look forward to your questions.
0:25:40.190,0:25:40.919
[Mr. Chaffetz] Thank you.
0:25:40.919,0:25:42.249
Mr. Turner, you are recognized for five minutes.
0:25:42.249,0:25:47.609
[Mr. Turner] Chairman Chaffetz, Ranking Member
Tierney and members of the Subcommittee, thank
0:25:47.609,0:25:52.559
you for the opportunity to testify today as
the committee considers cybersecurity and
0:25:52.559,0:25:56.179
the current threat level to the United States.
0:25:56.179,0:25:59.960
Mr. Chairman, on behalf of the nearly 500
Symantec employees based in your district
0:25:59.960,0:26:05.039
in Linden, we certainly appreciate your focus
on cybersecurity issues.
0:26:05.039,0:26:09.519
My name is Dean Turner. I am Director of Symantec's
Global Intelligence Network.
0:26:09.519,0:26:16.340
Symantec is the world's information security
leader with over 25 years experience in developing
0:26:16.340,0:26:22.039
Internet security technology. Our best-in-class
Global Intelligence Network allows us to capture
0:26:22.039,0:26:28.350
worldwide security intelligence data. We maintain
11 security response centers globally and
0:26:28.350,0:26:34.190
utilize over 240,000 attack sensors in more
than 200 countries to track malicious activity
0:26:34.190,0:26:41.190
24 hours a day, 365 days a year. In short,
if there is a class of threat on the Internet,
0:26:42.359,0:26:43.720
Symantec knows about it.
0:26:43.720,0:26:47.549
In my written testimony, I have provided the
committee with greater detail on the evolving
0:26:47.549,0:26:52.359
threat landscape, as well as an assessment
of some of the real world impacts of cyber
0:26:52.359,0:26:57.690
attacks on businesses and individuals. I also
touch on major challenges and the vulnerabilities
0:26:57.690,0:27:02.409
associated with securing new technologies
and how organizations can better secure their
0:27:02.409,0:27:06.200
important and critical systems.
0:27:06.200,0:27:10.769
In our April 2011 Symantec Internet Security
Threat Report, we observed several key threat
0:27:10.769,0:27:17.769
landscape trends for the calendar year 2010.
The year was book-ended by two significant
0:27:18.519,0:27:24.220
targeted attacks, including Hydraq, otherwise
known as Aurora, and Stuxnet. Stuxnet was
0:27:24.220,0:27:30.109
a game changer, exemplifying just how sophisticated
and targeted threats are becoming. It demonstrated
0:27:30.109,0:27:35.200
the vulnerability of critical national infrastructure
to attack and Stuxnet was the first publicly-known
0:27:35.200,0:27:39.489
threat to target industrial control systems.
0:27:39.489,0:27:44.929
Social networks continue to be a security
concern for organizations as government agencies
0:27:44.929,0:27:50.210
and companies struggle to find a satisfactory
compromise between leveraging the advantage
0:27:50.210,0:27:54.739
of social networking and limiting the dangers
posed by the increased exposure of potentially
0:27:54.739,0:27:58.070
sensitive and exploitable information.
0:27:58.070,0:28:02.889
Leveraging information from social networking
sites as part of a social engineering campaign
0:28:02.889,0:28:07.009
is one of the simplest and most effective
ways an attacker can lure their target to
0:28:07.009,0:28:11.979
a malicious website. For example, an attacker
can use information gathered from a social
0:28:11.979,0:28:16.820
networking site to create a target email that
then lures a victim to a website that hosts
0:28:16.820,0:28:23.080
malicious code. If the victim visits the website,
a Trojan, for example a key logger or a backdoor
0:28:23.080,0:28:30.080
can be installed and that begins ex-filtrating
sensitive information back to the attacker.
0:28:31.470,0:28:37.499
In 2010, attack tool kits continued to see
widespread use. A typical tool kit today is
0:28:37.499,0:28:43.029
built to allow the cyber criminal to monetize
infected machines in every way possible. For
0:28:43.029,0:28:47.919
example, keystroke loggers are a simple way
to capture any password a user types in. Other
0:28:47.919,0:28:54.289
Trojans can also steal email addresses found
on the machine as well as add additional malware.
0:28:54.289,0:28:58.169
Attack tool kits and their ability to update
over the Web greatly increase the speed with
0:28:58.169,0:29:03.549
which new vulnerabilities are packaged, exploited
and spread. One of the most significant attack
0:29:03.549,0:29:07.440
kits known at the moment is the Zeus Trojan
and is a favorite of cyber criminals due to
0:29:07.440,0:29:14.440
its ease of use and low cost, about $400 in
the underground economy. It takes little to
0:29:15.080,0:29:19.899
no technical knowledge to launch this type
of attack and it can be extremely profitable
0:29:19.899,0:29:21.989
for cyber criminals.
0:29:21.989,0:29:26.080
With the proliferation of smart phones and
mobile devices, users are increasingly downloading
0:29:26.080,0:29:30.729
third party applications which is creating
an opportunity for the installation of malicious
0:29:30.729,0:29:35.229
applications. In 2010, there was a 42 percent
increase in the number of reported new mobile
0:29:35.229,0:29:41.590
operating system vulnerabilities and most
mobile malicious code is now designed to generate
0:29:41.590,0:29:45.249
revenue. Therefore, there is likely going
to be more threats created for these devices
0:29:45.249,0:29:50.429
as people increasingly use them for sensitive
transactions such as on-line shopping and
0:29:50.429,0:29:50.679
banking.
0:29:50.679,0:29:55.289
We have learned many lessons from today's
threat landscape and while the sophistication
0:29:55.289,0:30:00.499
level of attacks is increasing as is the potential
and real damage caused by such attacks, we
0:30:00.499,0:30:04.479
need to turn these lessons into action. In
addition to the recommendations contained
0:30:04.479,0:30:09.239
in my written testimony, the following steps
must be taken in order to better protect critical
0:30:09.239,0:30:11.239
systems from cyber attack.
0:30:11.239,0:30:17.340
First, develop and enforce IT policies and
automate compliance processes. Second, authenticate
0:30:17.340,0:30:22.159
identities by leveraging solutions that allow
business to ensure only authorized personnel
0:30:22.159,0:30:28.419
have access to those systems. Third, secure
end points, messaging and Web environments.
0:30:28.419,0:30:32.619
In addition, defending critical servers and
implementing the ability to backup and recover
0:30:32.619,0:30:36.739
data need to be top priorities.
0:30:36.739,0:30:40.200
Members of the committee, cybersecurity faces
a constantly evolving threat and there is
0:30:40.200,0:30:45.070
no single solution to prevent attacks. Attackers
are getting smarter and more resourceful every
0:30:45.070,0:30:51.669
day. Because of that, any solution must include
the private sector's expertise and innovation.
0:30:51.669,0:30:56.820
We must continue to be vigilant in protecting
our economy, our national security and our
0:30:56.820,0:30:58.139
way of life.
0:30:58.139,0:31:02.570
Symantec applauds Congress for focusing much
needed attention on cybersecurity and we look
0:31:02.570,0:31:09.570
forward to continuing this important dialog.
I will be happy to answer any questions you
0:31:10.859,0:31:12.210
might have.
0:31:12.210,0:31:14.529
[Mr. Chaffetz] Thank you.
0:31:14.529,0:31:18.129
We will now start the questioning. I am going
to recognize myself for five minutes -- maybe
0:31:18.129,0:31:18.379
even a little bit longer than that.
0:31:18.210,0:31:23.460
I appreciate all the expertise and routinely
what we hear is the threat, the threat, the
0:31:23.460,0:31:30.049
threat, it is happening and we are quantifying
something at $86 billion and perhaps beyond.
0:31:30.049,0:31:36.509
I do think there are probably a number of
companies that would be embarrassed out there
0:31:36.509,0:31:39.119
that there was some sort of security breach.
0:31:39.119,0:31:46.119
We are constantly told that it is consumers
and shoppers, that it is safe and secure to
0:31:46.129,0:31:51.359
type in our critical information, our personal
information just because it has that little
0:31:51.359,0:31:58.359
lock on there. What should the average person
in Topeka, Kansas be thinking about when they
0:31:59.489,0:32:05.359
go type in, how do you really tell if it is
secure or not and can you ever? Do you want
0:32:05.359,0:32:08.200
to take a stab at that, Mr. Bond.
0:32:08.200,0:32:15.200
[Mr. Bond] I will take a first stab at it,
Mr. Chairman. I think I would urge consumers
0:32:16.099,0:32:23.099
to do what a national education campaign has
urged which is stop thinking and act. Many
0:32:23.379,0:32:26.820
of these newly-designed threats that come
in and pose as something they are not, trying
0:32:26.820,0:32:33.820
to get you to either give information or simply
click on a bogus connection which very often
0:32:35.190,0:32:41.739
can be understood, gleaned or perceived as
a threat by simply stopping and thinking through,
0:32:41.739,0:32:47.389
wait a minute, is this really coming from
the company or an entity that it purports
0:32:47.389,0:32:48.190
to be.
0:32:48.190,0:32:55.190
This links to issues about short address names
and other things that are part of the challenge
0:32:55.720,0:33:01.799
right not, but I do think that a public education
campaign that tells people to stop and think
0:33:01.799,0:33:05.720
before they connect can have measurable impact.
That is a beginning point.
0:33:05.720,0:33:11.460
Mr. Chaffetz. Certainly the success of Twitter
and Facebook and particular networks has become
0:33:11.460,0:33:17.529
immense globally. Mr. Lewis, what sort of
threat or danger to young people, old people,
0:33:17.529,0:33:22.419
people who participate on those types of social
networks exists? How secure, if at all, is
0:33:22.419,0:33:23.159
the information that is provided?
0:33:23.159,0:33:30.159
[Mr. Bond] The intent with information is
to be public, so it is easily collected. We
0:33:31.979,0:33:38.979
know there have been many problems in the
past. One of them, my favorite in some ways,
0:33:41.470,0:33:44.059
is the fact that people will often use their
pet's name or birthplace as their password
0:33:44.059,0:33:48.440
and then they will list it on the website,
so we have seen many, many incidences where
0:33:48.440,0:33:50.989
guessing the password on these sites isn't
that difficult.
0:33:50.989,0:33:57.989
We are a treasure trove for cyber criminals
because you can harvest all kinds of data
0:33:58.159,0:34:04.289
that will give you hints on passwords, employment,
where you bank is, so they have become kind
0:34:04.289,0:34:11.289
of unmanageable problems. There is little
the companies can do about that. I don't want
0:34:14.720,0:34:15.940
to blame Twitter or Facebook or any of them.
People choose to put their information up
0:34:15.940,0:34:20.980
there and they haven't thought enough, as
you heard from Phil, about what the implications
0:34:20.980,0:34:27.330
are. If you are going to have a Facebook account,
don't use your dog's name as the password.
0:34:27.330,0:34:31.370
Mr. Chaffetz. Mr. McGurk, I would like to
learn a bit more about the differences or
0:34:31.370,0:34:36.429
perhaps the similarities between cyber attacks
from domestic and international sources. Are
0:34:36.429,0:34:42.570
there distinguishable differences or motives
between the domestic and the international
0:34:42.570,0:34:43.190
actors?
0:34:43.190,0:34:50.190
[Mr. McGurk] In the Department, as I mentioned
earlier during my testimony, we are focused
0:34:50.409,0:34:55.320
more on the risk mitigation strategy, so when
we look in the national infrastructure protection
0:34:55.320,0:35:00.520
plan, at the definition of risk, we identified
as threat, vulnerability and consequence.
0:35:00.520,0:35:03.580
The Department takes an all hazards approach.
0:35:03.580,0:35:08.410
The challenge there is identifying where the
threat actors are originating. That is a part
0:35:08.410,0:35:13.590
of it but from our standpoint, from the mitigation
standpoint, in protecting the networks, restoring
0:35:13.590,0:35:19.080
services and recovery, the actual source is
not as important as the vulnerability and
0:35:19.080,0:35:22.300
the consequence of those vulnerabilities.
That is really where the Department focuses
0:35:22.300,0:35:28.140
most of its attention and how to provide actionable
intelligence to the asset owners and operators
0:35:28.140,0:35:33.740
to prevent further escalation of the consequences
of the breach.
0:35:33.740,0:35:37.320
[Mr. Chaffetz] How far and wide are you doing
that? You are doing that, I would assume,
0:35:37.320,0:35:44.320
with the national interest, the federal assets
that we have. What about the private sector?
0:35:44.760,0:35:49.500
How involved do you get with them? There is
obviously Microsoft, Goggle and Yahoo in the
0:35:49.500,0:35:55.870
world, but there are also your medium level
guys. How interactive are you, can you possibly
0:35:55.870,0:36:00.670
be where there will be virtually every single
entity you could possibly think of?
0:36:00.670,0:36:05.650
[Mr. McGurk] One of the areas we focus on
in NCIC is our assist and assess mission where
0:36:05.650,0:36:10.100
we actually send incident response teams and
assessment teams out into the field. We have
0:36:10.100,0:36:14.990
gone to companies of only seven employees
that were experiencing cyber intrusion to
0:36:14.990,0:36:20.900
Fortune 10 companies, working with them to
not only identify what the risk is but to
0:36:20.900,0:36:23.500
mitigate that risk in their cyber environments.
0:36:23.500,0:36:28.560
On average, a week does not go by where I
do not have a team in the field working with
0:36:28.560,0:36:32.910
the private sector to address those cyber
vulnerabilities and to mitigate those risks.
0:36:32.910,0:36:36.150
[Mr. Chaffetz] What percentage of the companies
can you possibly get to?
0:36:36.150,0:36:42.180
[Mr. McGurk] Again, to date, we have been
able to conduct 75 risk assessments over this
0:36:42.180,0:36:47.070
past year. We have not had the opportunity
or the requirement to turn anyone away. It
0:36:47.070,0:36:53.210
is completely voluntary. Part of the challenge
is when a risk, threat or intrusion is identified
0:36:53.210,0:36:59.830
to the Department, we will respond in kind
with a team of cybersecurity experts to assist
0:36:59.830,0:37:04.190
in restoring services. Again, that is a matter
of the request coming from industry.
0:37:04.190,0:37:05.590
[Mr. Chaffetz] Yes, Mr. Bond?
0:37:05.590,0:37:11.300
[Mr. Bond] I want to observe here that this
is where the power of the network can be tremendously
0:37:11.300,0:37:17.400
valuable. DHS does not to physically go out
and talk to every company. We do need timely,
0:37:17.400,0:37:22.050
actionable sharing of information so that
the network, led by great vendors like Symantec
0:37:22.050,0:37:28.210
and others, and then proliferate and spread
that word to address whatever the vulnerability
0:37:28.210,0:37:31.130
is at the earliest possible stage as soon
as we know about the threat.
0:37:31.130,0:37:35.020
You will uncover, through the committee's
efforts and hearings, that there are information
0:37:35.020,0:37:38.950
sharing challenges between the government
and private sector, between the private sector
0:37:38.950,0:37:42.880
and the private sector.
0:37:42.880,0:37:44.760
[Mr. Chaffetz] Thank you. My time has expired.
I will now recognize Mr. Tierney for five
0:37:44.760,0:37:47.040
minutes or whatever he would like.
0:37:47.040,0:37:54.040
[Mr. Tierney] I am trying to work out something
in my mind that Mr. Bond got me thinking about
0:37:54.590,0:37:59.400
as he was talking, about who is responsible
for what, liability protections, incentives
0:37:59.400,0:38:00.590
and all of that.
0:38:00.590,0:38:04.410
I understand with respect to our national
security concerns and homeland protection,
0:38:04.410,0:38:09.340
being a part of that, that the government
systems, we have the responsibility, we have
0:38:09.340,0:38:14.570
to take care of it and move on from that,
but in terms of the private sector, when you
0:38:14.570,0:38:19.490
are not doing business with the government,
why isn't that on you? Why isn't it on you
0:38:19.490,0:38:20.960
to make sure that your systems are protected?
0:38:20.960,0:38:25.520
I see Mr. McGurk has teams running all over
the place doing what I would have thought
0:38:25.520,0:38:30.200
was your job, making sure you are safe, making
sure nobody can get into your system, making
0:38:30.200,0:38:35.530
sure consumer information is protected. If
you don't do a good job of that, I suspect
0:38:35.530,0:38:39.620
people aren't going to buy your product or
utilize your services. I don't know why we
0:38:39.620,0:38:43.810
have to give you incentives and I don't know
why you wouldn't be held liable if you make
0:38:43.810,0:38:47.650
a mess of it.
0:38:47.650,0:38:54.650
[Mr. Bond] It is an important observation
because we believe market forces are primary
0:38:56.720,0:39:01.680
to shaping good behavior and we see that time
and again. However, let me try to give you
0:39:01.680,0:39:02.860
an example.
0:39:02.860,0:39:09.860
If a small community is targeted, say the
bank in that community is targeted because
0:39:10.300,0:39:14.250
they want to get personal information or financial
information because there may be a lot of
0:39:14.250,0:39:21.200
DOD workers in that community, the Federal
Government says, gee, that small community
0:39:21.200,0:39:28.200
bank has somehow been breached and we need
you to go off line for a minute to help figure
0:39:29.140,0:39:33.280
this out and because it is a serious threat.
0:39:33.280,0:39:37.270
[Mr. Tierney] Let me back up. The government
didn't supply that system to that bank?
0:39:37.270,0:39:38.020
[Mr. Bond] No.
0:39:38.020,0:39:41.140
[Mr. Tierney] If it is breached, let’s say
there aren't any government workers in that
0:39:41.140,0:39:41.390
area?
0:39:41.370,0:39:48.370
[Mr. Bond] That is not the point of liability.
For their inability to provide a secure system,
0:39:49.550,0:39:54.820
there are going to be questions about a community
bank in the future, but while they are down
0:39:54.820,0:40:01.460
because of a government request or demand
and Farmer McDonald doesn't get his loan or
0:40:01.460,0:40:05.890
loses the farm, is the bank liable because
they went down at the government request?
0:40:05.890,0:40:08.840
[Mr. Tierney] Forget the bank, the bank didn't
put the system in, they bought it from somebody
0:40:08.840,0:40:14.310
and paid for the service of installing it.
If it goes down, whether it goes down because
0:40:14.310,0:40:17.330
somebody breached it, the government suggests
they go down or whatever, it is still their
0:40:17.330,0:40:22.000
fault and their problem. Why wouldn't all
the responsibility and obligation lie with
0:40:22.000,0:40:25.980
them, not lie with the government in protecting
national security? We don't assess the government
0:40:25.980,0:40:28.720
every time they come in and protect us, but
the people who go out and sell to a bank in
0:40:28.720,0:40:33.270
a community, that they are going to give them
a system that is safe and secure, why doesn't
0:40:33.270,0:40:34.080
the buck stop there?
0:40:34.080,0:40:37.930
[Mr. Bond] I am trying to make a distinction
that I think is legitimate. When the government
0:40:37.930,0:40:43.680
says, based on what we know, you should do
this or we require you to do this and you
0:40:43.680,0:40:50.680
do that, any liability that stems from that
step should be protected because you are doing
0:40:51.670,0:40:52.410
something in accord with policy or government
request.
0:40:52.410,0:40:54.580
[Mr. Tierney] You wouldn't do it on your own
is what you are saying, look and see what
0:40:54.580,0:40:59.230
happened, figure you have to put in those
safeguards of your own volition?
0:40:59.230,0:41:02.530
[Mr. Bond] You would and I am failing to communicate.
0:41:02.530,0:41:05.870
[Mr. Tierney] No, you are not. I am just failing
to accept your premise. It is not that you
0:41:05.870,0:41:09.880
are failing to communicate. For whatever reason
you have to do something, it seems a customer
0:41:09.880,0:41:15.100
would want you to do and expect you to do,
I don't understand the shifting of responsibility
0:41:15.100,0:41:16.390
and obligation.
0:41:16.390,0:41:23.390
[Mr. Bond] If it is an action taken at government
requirement or policy, I don't think it is
0:41:24.580,0:41:29.320
the government's intent to make a company
liable for obeying the law.
0:41:29.320,0:41:33.180
[Mr. Tierney] Let us take your example, which
I thought was the most favorable position
0:41:33.180,0:41:37.970
you could take for yourself. A lot of people
work in the government, Department of Defense
0:41:37.970,0:41:41.090
or something, living in a particular neighborhood
doing business with a credit union or a bank
0:41:41.090,0:41:48.090
and the system someone in private industry
installed was secure, goes down and there
0:41:48.700,0:41:54.580
is a breach, you are telling me if the government
tells you to shut it down, or the government
0:41:54.580,0:41:59.370
tells you how to bring it up safely, you wouldn't
come across that on your own and if you didn't
0:41:59.370,0:42:02.810
come across that, the government had to take
action, therefore you shouldn't be responsible
0:42:02.810,0:42:04.910
for anything that results from you taking
those steps.
0:42:04.910,0:42:08.410
One of two things can happen. You are going
to try to resolve it yourself or somebody
0:42:08.410,0:42:13.560
is going to have to suggest to protect the
consumers and the community that it is going
0:42:13.560,0:42:18.260
to be done, then you say if I do it the way
they say do it, because I wouldn't do it on
0:42:18.260,0:42:21.920
my own, then I am going to be shouldered the
responsibility or liability. Is that your
0:42:21.920,0:42:22.170
position?
0:42:22.160,0:42:28.720
[Mr. Bond] No, but I appreciate your framing
it for me. What I am trying to underscore
0:42:28.720,0:42:34.020
is that when there is a policy or something
in place that has a requirement to it that
0:42:34.020,0:42:39.100
there not be liability attached to it being
the requirement. I could think of a lot of
0:42:39.100,0:42:45.660
different examples but if you are adhering
to the rules and best practices, and something
0:42:45.660,0:42:52.660
about that policy causes harm as a response,
that is something you are obeying policy on
0:42:54.030,0:42:56.020
and you should not be liable.
0:42:56.020,0:43:01.180
[Mr. Tierney] How do we ever get best policies
to keep getting better if you never have an
0:43:01.180,0:43:04.580
incentive to do it because you are covered
-- the threshold thing that is in place at
0:43:04.580,0:43:05.770
a given time?
0:43:05.770,0:43:11.500
[Mr. Bond] I could reverse it and say why
would you ever obey the government rule if
0:43:11.500,0:43:13.110
you also not protected when obeying that rule?
0:43:13.110,0:43:16.080
[Mr. Tierney] Maybe we don't have a government
rule. Maybe we just leave you out there to
0:43:16.080,0:43:20.630
the market, so when you go down and that community
goes down or whatever, then you are on your
0:43:20.630,0:43:24.360
own. Would that be something you want, no
consumer protections, no government regulations,
0:43:24.360,0:43:25.630
would that make you happier?
0:43:25.630,0:43:31.250
[Mr. Bond] I am taking your earlier point
that market forces really do matter, but I
0:43:31.250,0:43:36.590
am trying to make the point that if we pass
rules and companies obey those rules, that
0:43:36.590,0:43:41.450
should not usher in some liability because
you obeyed the rule.
0:43:41.450,0:43:48.450
[Mr. Tierney] I am not trying to be contentious
with you, I am trying to get to the bottom.
0:43:48.890,0:43:52.660
I think it is an interesting question to ask,
but there be no government regulations in
0:43:52.660,0:43:56.820
this area. Mr. Bond, go ahead.
0:43:56.820,0:44:02.910
[Mr. Bond] I am not advocating that. I think
there are already some regulations in place,
0:44:02.910,0:44:07.650
certainly around the government systems and
how they interact with private sector systems,
0:44:07.650,0:44:08.650
contractors and others.
0:44:08.650,0:44:14.870
[Mr. Tierney] Other than that, should there
be any government regulations on your provision
0:44:14.870,0:44:18.770
of systems to private entities at all or should
it just be totally unregulated?
0:44:18.770,0:44:25.300
[Mr. Bond] I think that is a good question
we should look at, what is the use of standards,
0:44:25.300,0:44:29.240
what is the use of industry best practices
and other things that government and the private
0:44:29.240,0:44:35.440
sector are coming up with together and that
any regulatory steps should be taken very
0:44:35.440,0:44:38.810
carefully with all the expertise of the different
players in the room.
0:44:38.810,0:44:43.800
I am not here to draw any kind of line in
the sand, I am here to say that you need technical
0:44:43.800,0:44:47.530
experts like Mr. Turner and others in the
room to understand what the implications in
0:44:47.530,0:44:48.720
an interconnected world.
0:44:48.720,0:44:55.720
[Mr. Turner] Just to add to that, I think
it is important when we are discussing liability,
0:44:56.220,0:45:00.530
we acknowledge the fact that it is incredibly
difficult to pin where that liability sets.
0:45:00.530,0:45:06.060
There is no such thing as a 100 percent secure,
fool proof piece of software. It doesn't exist
0:45:06.060,0:45:08.990
out there, I am sorry to say. Vulnerabilities
are a fact of life.
0:45:08.990,0:45:12.050
[Mr. Tierney] But there was never a 100 percent
secure train either, but at some point liability
0:45:12.050,0:45:16.780
went to the locomotive company because technology
had advanced to the point where they were
0:45:16.780,0:45:18.850
the ones to be held responsible for anything.
0:45:18.850,0:45:23.100
[Mr. Turner] I understand but when you are
asking to assess liability on a particular
0:45:23.100,0:45:27.170
focal point, whether that be the Federal Government,
the private sector or the vendor, we have
0:45:27.170,0:45:31.300
to deal with something called the law of intended
consequences. It is virtually impossible for
0:45:31.300,0:45:35.720
us, as an industry or anybody, to be able
to test with 100 percent certainty how that
0:45:35.720,0:45:38.540
particular product, software or service is
going to be used in that situation.
0:45:38.540,0:45:45.250
[Mr. Tierney] A better liability system has
never gone on 100 percent certainty, who is
0:45:45.250,0:45:47.630
responsible and then people make a decision
about what is reasonable. I was trying to
0:45:47.630,0:45:53.780
figure out whether it is reasonable to leave
it all to the industry to set the standards
0:45:53.780,0:45:58.700
and suffer whatever consequences or obligations
there might be or is there some advocacy here
0:45:58.700,0:46:02.820
that the government should, on behalf of the
consumer, whoever that might be, a business
0:46:02.820,0:46:08.020
or an individual, set some standards for compliance
and I haven't figured out whether you are
0:46:08.020,0:46:09.050
for or against yet.
0:46:09.050,0:46:15.850
[Mr. Turner] I suspect you will find that
the answer lies somewhere in the middle, that
0:46:15.850,0:46:18.850
it is again the public/private partnership.
0:46:18.850,0:46:20.450
[Mr. Lewis] Can I add something, Mr. Chairman,
because it is an interesting line of questioning.
0:46:20.450,0:46:27.140
There is a point we might want to put out
in the open and I think if you would use your
0:46:27.140,0:46:29.510
experience and the experience of other committee
members with the intelligence community, you
0:46:29.510,0:46:35.910
would be able to confirm this, but there is
no such thing as a secure, unclassified system.
0:46:35.910,0:46:39.660
I have been told by senior intelligence officials
that they have never seen an unclassified
0:46:39.660,0:46:45.380
system that has not been penetrated. We are
dealing with a problem where anyone can get
0:46:45.380,0:46:51.070
in. The solution to that is not a technological
solution.
0:46:51.070,0:46:57.480
Yes, over time, our technologies will get
better and that will squeeze out the low end
0:46:57.480,0:47:00.110
threat, so the high school kid who used to
be able to, in a couple of hours, break in,
0:47:00.110,0:47:06.850
now he might have to spend a little more time.
I think that is why a lot of us are in favor
0:47:06.850,0:47:12.250
of a comprehensive approach. You need to have
law enforcement cooperation with other countries.
0:47:12.250,0:47:17.150
You need to have strong military forces to
deter potential opponents. You need to work
0:47:17.150,0:47:21.250
with the service providers to get them to
help consumers and you do need some kind of
0:47:21.250,0:47:28.130
what we are calling now risk standards run
through the government that would impose some
0:47:28.130,0:47:29.360
requirements on at least critical infrastructure
companies.
0:47:29.360,0:47:36.360
If we can get together a package, we can deal
with the problem, but no single part will
0:47:42.280,0:47:42.530
solve this very damaging situation.
0:47:42.440,0:47:44.340
[Mr. Tierney] I guess what I am taking for
granted is you don't feel you can do your
0:47:44.340,0:47:49.320
optimum job without the assistance of the
government in some respect, is that fair to
0:47:49.320,0:47:56.320
say? You are all talking about partnerships.
I am guessing what the industry is saying
0:47:56.820,0:48:01.180
is we can't do this right without government
assistance at some level.
0:48:01.180,0:48:08.180
[Mr. Bond] I think I would say that we absolutely
need and welcome government involvement around
0:48:09.140,0:48:14.640
the critical infrastructure and as they do
that, we want to make sure experts are in
0:48:14.640,0:48:21.640
the room because these are very complicated
and interconnected issues. That is simply
0:48:22.890,0:48:23.730
it.
0:48:23.730,0:48:29.610
[Mr. Chaffetz] Mr. McGurk, as we talk about
the threat, where do you see the biggest threats
0:48:29.610,0:48:36.530
outside of the domestic United States? What
are the biggest threats? Where do you see
0:48:36.530,0:48:38.670
them coming from?
0:48:38.670,0:48:44.720
[Mr. McGurk] Again, focusing on the total
consequence and vulnerability aspect, the
0:48:44.720,0:48:50.390
threat actors range in sophistication and
capability from nation state-sponsored through
0:48:50.390,0:48:56.210
criminal activity down to a hactivist, entirely
into what we call the script kiddie environment.
0:48:56.210,0:49:03.210
[Mr. Chaffetz] How many nations are attacking
this country on the cybersecurity front, how
0:49:03.370,0:49:04.250
many nation actors?
0:49:04.250,0:49:08.260
[Mr. McGurk] The challenge with that was the
point made earlier by some of the members
0:49:08.260,0:49:14.840
of attribution. It is very difficult to positively
attribute known activity. Even if I were to
0:49:14.840,0:49:21.310
say an IP address or the source address originated
in a particular country or a particular area,
0:49:21.310,0:49:25.960
that may not be actual actor, so the attribution
piece is very difficult.
0:49:25.960,0:49:31.270
[Mr. Chaffetz] I recognize that it is difficult,
but you have some number that you have assessed,
0:49:31.270,0:49:34.720
at least I hope you do. What is that number,
how many countries?
0:49:34.720,0:49:38.080
[Mr. McGurk] I would actually defer that to
the intelligence community representatives
0:49:38.080,0:49:41.560
in another forum. I wouldn't be able to comment
on that here today.
0:49:41.560,0:49:48.560
[Mr. Chaffetz] What is the consequence for
somebody who is attacking us on the cybersecurity
0:49:49.330,0:49:53.260
front? Is there anything we can do or have
done? Is there any instance where we have
0:49:53.260,0:49:59.490
actually said, Country X, you have been doing
this and this is the consequence? Is there
0:49:59.490,0:50:01.060
any consequence to that?
0:50:01.060,0:50:05.780
[Mr. McGurk] To my knowledge, I am not familiar
with any official demarche that has ever been
0:50:05.780,0:50:10.680
issued or ever been delivered to a particular
nation state associated with malicious cyber
0:50:10.680,0:50:10.930
activity.
0:50:10.910,0:50:16.300
[Mr. Chaffetz] How often are we getting attacked
from nation states -- daily, hourly?
0:50:16.300,0:50:22.230
[Mr. McGurk] There are hourly cyber attacks.
Whether they originate and are state-sponsored
0:50:22.230,0:50:26.530
or if they just originate from IP addresses
that are being spoofed as far as the location,
0:50:26.530,0:50:31.360
if they are criminal activity or if they are
independent activists that are operating under
0:50:31.360,0:50:33.660
the protection of a nation state.
0:50:33.660,0:50:39.130
[Mr. Chaffetz] Let us pretend we have a nation
state that says yes, what is the consequence?
0:50:39.130,0:50:39.450
What do we do?
0:50:39.450,0:50:45.320
[Mr. McGurk] Not necessarily dealing in hypotheticals,
but looking at the consequence analysis that
0:50:45.320,0:50:49.920
the Department conducts associated with cyber
physical systems, one of the demonstrations
0:50:49.920,0:50:55.080
we conducted in 2007 was known as the Aurora
Experiment where we demonstrated the capability
0:50:55.080,0:50:59.630
of taking digital protective circuits and
physically destroying large pieces of rotating
0:50:59.630,0:51:03.630
equipment. This type of equipment has years
to repair or replace.
0:51:03.630,0:51:07.520
[Mr. Chaffetz] That is cool, I like hearing
that. What else can we do?
0:51:07.520,0:51:12.770
[Mr. McGurk] Subsequently, we recognize we
have to apply a defense in-depth strategy.
0:51:12.770,0:51:14.200
[Mr. Chaffetz] I hope we are doing that.
0:51:14.200,0:51:18.570
[Mr. McGurk] Yes, sir. In many of these cases,
these legacy-based systems are 10, 20 or 30
0:51:18.570,0:51:23.880
years old, so subsequently we can't bolt on
a new application so we either need to enclave
0:51:23.880,0:51:29.970
these pieces of equipment in a secure environment
or mitigate the risk associated with operating
0:51:29.970,0:51:31.950
those systems in a connected world.
0:51:31.950,0:51:38.480
The comment was made earlier about separating
networks and never finding a secure network.
0:51:38.480,0:51:42.800
In our experience, in conducting hundreds
of vulnerability assessments in the private
0:51:42.800,0:51:48.120
sector, in no case have we ever found the
operations network, the SCADA system or energy
0:51:48.120,0:51:53.710
management system separated from the Enterprise
network. On average, we see 11 direct connections
0:51:53.710,0:51:59.710
between those networks and in some extreme
cases, we have identified up to 250 connections
0:51:59.710,0:52:05.600
between the actual producing network and the
enterprise environment. That is one of the
0:52:05.600,0:52:09.410
challenges we have, as I mentioned earlier,
in actually securing these networks and understanding
0:52:09.410,0:52:14.290
the consequences associated with the vulnerabilities
and not just the threat actors.
0:52:14.290,0:52:20.480
[Mr. Chaffetz] That doesn't give us much confidence,
but it is reality. That is what we are after
0:52:20.480,0:52:21.990
here.
0:52:21.990,0:52:28.710
If I went down the row here, what do you all
see as the singlemost, significant weakness
0:52:28.710,0:52:33.500
in the system right now? I will start with
you, Mr. Bond, and then we will loop around
0:52:33.500,0:52:35.350
and get to you, Mr. McGurk.
0:52:35.350,0:52:42.350
[Mr. Bond] I would probably identify better
information sharing coming between the government
0:52:44.280,0:52:48.720
and the private sector. I don't think we are
sometimes free to discuss the threats we see
0:52:48.720,0:52:48.970
so that we can respond quickly.
0:52:48.920,0:52:49.170
[Mr. Chaffetz] Mr. Lewis?
0:52:49.050,0:52:55.120
[Mr. Lewis] I would go back to your point
about consequences. If nobody is ever punished
0:52:55.120,0:53:00.010
for doing something bad or even chastised,
they are just going to do more of it, so I
0:53:00.010,0:53:07.010
think our failure to have any consequence
for any sort of cyber action is really damaging.
0:53:07.250,0:53:08.340
[Mr. Chaffetz] Mr. Turner?
0:53:08.340,0:53:12.650
[Mr. Turner] I would have a tendency to agree
with Mr. Bond that information sharing is
0:53:12.650,0:53:18.390
the key component, but I would also add and
rank just as highly that we need to start
0:53:18.390,0:53:24.080
moving away from the mindset in which we currently
find ourselves which is detection and remediation.
0:53:24.080,0:53:31.080
This is the cycle we are in, we detect and
remediate, detect and remediate. We are always
0:53:31.130,0:53:33.490
behind the curve. We need to get a little
more predictive and a little more proactive
0:53:33.490,0:53:35.640
in terms of reaching out which sort of dovetails
into Mr. Lewis' comment about the consequences
0:53:35.640,0:53:37.460
for actions.
0:53:37.460,0:53:41.080
[Mr. Chaffetz] Mr. McGurk?
0:53:41.080,0:53:46.160
[Mr. McGurk] Thank you for the opportunity
to last because I would say all of the above.
0:53:46.160,0:53:48.530
[Mr. Chaffetz] I agree with you.
0:53:48.530,0:53:53.860
[Mr. McGurk] If I may add on the information
sharing piece, arguably we have been sharing
0:53:53.860,0:53:58.930
information for years between the government
and the private sector. We need to focus on
0:53:58.930,0:54:02.660
collaboratively developing knowledge so that
we can provide actionable intelligence to
0:54:02.660,0:54:04.030
mitigate the risk.
0:54:04.030,0:54:08.970
The great example of that was in November
of last year, there was a particularly malicious
0:54:08.970,0:54:14.710
piece of code known as the "Here You Have''
virus. It was actually identified through
0:54:14.710,0:54:19.950
the intelligence community as being a known
malicious piece of software and within hours,
0:54:19.950,0:54:25.150
the Department was able to identify that particular
piece of code and provide actionable intelligence
0:54:25.150,0:54:31.660
to the community through a series of declassification
measures using the private sector's expertise
0:54:31.660,0:54:34.970
to provide information to the private sector
so they could take the necessary steps to
0:54:34.970,0:54:36.110
mitigate the risk.
0:54:36.110,0:54:41.000
That is the step we need to actually have
an effect on cyber risk at that speed and
0:54:41.000,0:54:44.100
not just simply put together another information
sharing body.
0:54:44.100,0:54:50.830
[Mr. Chaffetz] I want to go quickly here to
the cloud. There is a lot of movement within
0:54:50.830,0:54:57.300
the industry to encourage people to store
their information on the cloud which creates
0:54:57.300,0:55:03.900
questions about security and do I trust some
major provider more than I trust my own local
0:55:03.900,0:55:10.900
server, do I think it is more safe than my
individual computer.
0:55:13.140,0:55:17.070
What are the vulnerabilities there? Should
be feel more secure, more safe with cloud
0:55:17.070,0:55:22.830
and movement to the cloud or less? Let us
start with Mr. Lewis this time.
0:55:22.830,0:55:28.960
[Mr. Lewis] You caught me off guard, Mr. Chairman.
Right now, I would say there is probably a
0:55:28.960,0:55:33.820
slight advantage to having your stuff in the
cloud because some of the companies, some
0:55:33.820,0:55:39.760
of the service providers can devote more attention,
particularly for small and medium size enterprises.
0:55:39.760,0:55:46.760
They may actually benefit from having a big
company -- a Google or a Microsoft or an IBM
0:55:47.420,0:55:52.110
-- manage their data. There are other drawbacks
to it.
0:55:52.110,0:55:58.410
For large enterprises, I am not sure they
benefit and a lot depends on how well the
0:55:58.410,0:56:05.410
cloud service providers actually do. On the
whole, small companies are better off. Big
0:56:05.490,0:56:06.020
companies may be a wash.
0:56:06.020,0:56:06.450
[Mr. Chaffetz] Mr. Turner?
0:56:06.450,0:56:13.290
[Mr. Turner] I agree with Mr. Lewis in a sense.
I do think, however, enterprises do benefit
0:56:13.290,0:56:18.940
because a lot of what we are seeing in the
move to the cloud is driven by total cost
0:56:18.940,0:56:20.900
of ownership and reduction of costs, and so
forth. From a security perspective, it is
0:56:20.900,0:56:26.400
going to be contextual because you are going
to have to ask yourself those very important
0:56:26.400,0:56:31.480
questions about with whom do I trust my data.
That is going to come down to reputation and
0:56:31.480,0:56:31.730
past behavior.
0:56:31.700,0:56:35.910
It is not meant to be a pitch but that is
certainly the case in the questions that have
0:56:35.910,0:56:42.320
to be asked. If they don't, there will be
a lot people, as we move to the cloud, that
0:56:42.320,0:56:44.530
will be able to make these services available
whether they be onshore in the United States
0:56:44.530,0:56:47.430
or offshore and these other places. What is
the track record going to be? We have to make
0:56:47.430,0:56:54.430
a very clear and very careful assessment of
the information we are willing to share because
0:56:55.220,0:56:58.250
not all information could be protected.
0:56:58.250,0:57:05.250
[Mr. Chaffetz] Let me shift here a little,
if I could. Mr. McGurk, let us talk about
0:57:09.180,0:57:14.140
databases. The Federal Government has over
2,000 databases. On one hand, you can say
0:57:14.140,0:57:18.510
maybe that diversified portfolio provides
a degree of safety and security, so the Bureau
0:57:18.510,0:57:24.940
of Indian Affairs is separate from the Department
of Justice. I can understand the security
0:57:24.940,0:57:28.040
component at the Department of Justice is
probably a little bit higher than the Bureau
0:57:28.040,0:57:28.910
of Indian Affairs.
0:57:28.910,0:57:35.910
What are the weak links associated with that?
Do we want to consolidate those and have five
0:57:37.230,0:57:43.820
really good data warehouses or databases or
is this diversified portfolio advisable? I
0:57:43.820,0:57:48.530
worry that so many agencies are trying to
create so many things, we are duplicating
0:57:48.530,0:57:52.730
efforts and consequently, they are all probably
not nearly as secure as we want them to be.
0:57:52.730,0:57:57.480
What is your perception of that?
0:57:57.480,0:58:02.290
[Mr. McGurk] I believe it is actually a capabilities
versus a requirements discussion. When you
0:58:02.290,0:58:08.050
talk about the disbursed nature of the database
as in the infrastructure, it goes to the cloud
0:58:08.050,0:58:09.650
discussion we were just having.
0:58:09.650,0:58:15.730
One of the benefits of that secure environment
is that you can have a disparate approach
0:58:15.730,0:58:21.260
to data storage so that not all the keys to
the kingdom are in one location. That provides
0:58:21.260,0:58:27.370
an obscurity model for data in motion and
data at rest. By being able to do that, we
0:58:27.370,0:58:30.870
can better allow for a distributed approach
for data security.
0:58:30.870,0:58:37.050
That being said, one of the initiatives the
Department has been executing for quite some
0:58:37.050,0:58:41.260
time now is a trusted Internet connection
program. That was part of the Comprehensive
0:58:41.260,0:58:47.050
National Cybersecurity Initiative. Instead
of trying to instrument or monitor each of
0:58:47.050,0:58:51.360
the separate departments and agencies, but
we roll that up to an aggregation point so
0:58:51.360,0:58:57.180
that we can understand flow and control the
information access points at an aggregated
0:58:57.180,0:59:00.490
standpoint and still allow for the diversity
of the independent departments and agencies.
0:59:00.490,0:59:07.490
[Mr. Bond] Just quickly, I want to make sure
to offer to brief the committee and its members.
0:59:08.640,0:59:15.640
Our TechAmerica Foundation actually has 73
companies and academics involved in commission
0:59:15.640,0:59:19.110
right now to advise the government on the
cloud and the leadership opportunity for the
0:59:19.110,0:59:23.620
US and the cloud. One of the questions they
are going to be addressing is the security
0:59:23.620,0:59:29.460
profile of the cloud. There are leading thinkers
who would challenge Jim's assertion and maybe
0:59:29.460,0:59:32.010
even say the cloud would be more secure for
all enterprises.
0:59:32.010,0:59:34.550
[Mr. Chaffetz] Mr. Tierney?
0:59:34.550,0:59:41.550
[Mr. Tierney] Mr. Bond, in your testimony
you emphasized the public/private relationship,
0:59:42.020,0:59:47.760
particularly with respect to education and
information sharing. Do you think education
0:59:47.760,0:59:52.620
and information sharing are sufficient to
protect the critical infrastructure from cyber
0:59:52.620,0:59:57.410
attacks? Do you think that is where we should
leave it?
0:59:57.410,1:00:02.280
[Mr. Bond] No, I think we presume there are
going to be special rules, regulations and
1:00:02.280,1:00:09.280
requirements around the critical infrastructure.
We think education jointly identifying where
1:00:09.550,1:00:14.040
the government should invest R&D dollars in
cybersecurity, all will be a part of that
1:00:14.040,1:00:19.730
ultimate solution. We certainly advocate for
clear distinction of what the critical infrastructure,
1:00:19.730,1:00:23.060
a good definition of it and special requirements
for it.
1:00:23.060,1:00:29.700
[Mr. Tierney] In that vein -- and I ask this
of all of you -- the present CEO of the North
1:00:29.700,1:00:33.180
American Electrical Reliability Corporation,
a fellow named Gerry Cauley, that you are
1:00:33.180,1:00:38.210
all probably familiar with, testified before
the Armed Services Committee on this topic.
1:00:38.210,1:00:43.950
He said he didn't think there was clarity
of responsibility. He thinks collaboration
1:00:43.950,1:00:48.070
and consultation have been good but should
be based on an ad hoc relationship with clear
1:00:48.070,1:00:52.150
lines of responsibility and authority. Are
you all pretty much in agreement with that
1:00:52.150,1:00:57.020
or do you disagree?
1:00:57.020,1:01:03.790
[Mr. Lewis] In some ways, the electrical grid
is the most attractive target we have for
1:01:03.790,1:01:10.500
some of our opponents. It is not secure, so
if the statement he made was that we have
1:01:10.500,1:01:15.520
been relying on an ad hoc process, I think
that is right and there is a lot of room for
1:01:15.520,1:01:16.200
improvement.
1:01:16.200,1:01:21.690
[Mr. Tierney] Do you know why there isn't
a clear line of responsibility? What is the
1:01:21.690,1:01:26.780
impediment to deciding who will be in charge
of this overall, overriding plan we have?
1:01:26.780,1:01:32.310
[Mr. Turner] I think part of the issue too
is the responsibility in sharing the data
1:01:32.310,1:01:37.970
itself. What data can you share? There are
a whole host of impediments and barriers to
1:01:37.970,1:01:44.880
sharing what is arguably confidential information
in some areas. That is part of the issue I
1:01:44.880,1:01:51.610
think gets in the way of trying to formalize
relationships and put them in a hierarchical
1:01:51.610,1:01:53.140
order to say this is who is doing this and
this is who is doing that. I think that has
1:01:53.140,1:01:56.440
primarily been holding back even the larger
information sharing relationship that goes
1:01:56.440,1:02:01.790
on between the public and private sector,
not limited to that particular sector itself.
1:02:01.790,1:02:03.680
[Mr. Tierney] Can I assume that some countries
share this problem and some countries don't
1:02:03.680,1:02:06.110
depending on the nature of the government
in a given country?
1:02:06.110,1:02:10.540
[Mr. Turner] I am not so sure it actually
comes down to a country by country level,
1:02:10.540,1:02:17.000
to be perfectly honest with you. I think it
is the nature of the issue itself that you
1:02:17.000,1:02:24.000
are talking about the sharing of that information.
This is merely to illustrate a problem with
1:02:24.820,1:02:31.250
the information sharing network that sometimes
when information goes from the private sector
1:02:31.250,1:02:33.560
to the public sector, it is a one way street.
Part of the whole education thing is we have
1:02:33.560,1:02:40.560
to come to agreement on how we share that
information to ensure that there is valuable
1:02:43.860,1:02:46.790
information that can come back the other way
as well.
1:02:46.790,1:02:52.400
[Mr. Lewis] On that note, I talked with one
of the larger European countries. They have
1:02:52.400,1:02:57.410
set up something like our Cyber Command. They
were telling me what they had done with their
1:02:57.410,1:03:04.410
electrical grid and requiring their grid operators
to be more secure. I said, that is amazing,
1:03:04.560,1:03:07.970
how did you guys get away with that? We could
never do that. They said, when they privatize,
1:03:07.970,1:03:10.580
they made sure to keep two board seats.
1:03:10.580,1:03:15.020
Where you are seeing a difference emerge is
in the countries that still have a small number
1:03:15.020,1:03:19.630
of service providers, where the government
has a more directive role, they are pulling
1:03:19.630,1:03:25.119
ahead a little bit. Right now, I would say
we are all sort of in equally bad shape and
1:03:25.119,1:03:30.030
one of the trends to watch is whether that
changes in a way that disadvantages us.
1:03:30.030,1:03:36.030
[Mr. Tierney] Let me ask one last question
of each of you. What do each of you as individuals
1:03:36.030,1:03:42.250
think the government role ought to be in protecting
the infrastructure for private companies?
1:03:42.250,1:03:43.780
Mr. McGurk?
1:03:43.780,1:03:49.750
[Mr. McGurk] I believe the current role we
are executing as a coordinator and integrator
1:03:49.750,1:03:55.060
to provide understanding and awareness across
the 18 critical infrastructures is a key role
1:03:55.060,1:04:01.790
and a service that we provide. As many of
my distinguished panel members have said,
1:04:01.790,1:04:06.960
information may come from one sector and may
be germane to another but there is no direct
1:04:06.960,1:04:08.710
connection to share that information.
1:04:08.710,1:04:13.780
By aggregating that at the Department, we
are able to take alerts, warnings or indications
1:04:13.780,1:04:19.890
coming from the electric sector, anonimize
that information or identify the vulnerability
1:04:19.890,1:04:24.710
and provide that to the water sector, the
chemical sector or the petroleum sectors.
1:04:24.710,1:04:30.200
That is a service and capability we provide
because we do have broad exposure into each
1:04:30.200,1:04:32.000
of those 18 critical infrastructures.
1:04:32.000,1:04:34.180
[Mr. Tierney] Mr. Bond?
1:04:34.180,1:04:39.560
[Mr. Bond] Certainly I would underscore the
notion that there needs to be a key role in
1:04:39.560,1:04:45.230
defining the critical infrastructure and having
special requirements for that. The farther
1:04:45.230,1:04:52.230
out you move on the network and the closer
to consumer applications and so forth, I think
1:04:52.810,1:04:58.730
we need this roundtable of real experts to
understand what it means in a networked world
1:04:58.730,1:05:03.930
because they are all connected and difficult
to determine regulatory schemes.
1:05:03.930,1:05:05.830
[Mr. Tierney] Mr. Lewis?
1:05:05.830,1:05:12.470
[Mr. Lewis] Three things -- some kind of flexible,
standard-based approach that I would think
1:05:12.470,1:05:17.940
DHS and the other regulatory agencies would
oversee for critical infrastructure; better
1:05:17.940,1:05:22.860
information sharing as you have heard; and
finally, steps that would make the international
1:05:22.860,1:05:29.560
environment more secure, steps that would
deter criminals and other potential hackers.
1:05:29.560,1:05:30.030
[Mr. Tierney] Mr. Turner?
1:05:30.030,1:05:33.650
[Mr. Turner] I would agree with everything
that has been said on the panel. Going last,
1:05:33.650,1:05:35.080
it is easier to do that.
1:05:35.080,1:05:42.080
I would add in addition to facilitating information
sharing and making it easier, keeping an eye
1:05:44.790,1:05:49.390
towards that liability. We have to keep in
mind that most of the attacks that we see
1:05:49.390,1:05:55.050
today, the attacks themselves are international
in nature, so we are not just dealing with
1:05:55.050,1:06:00.350
threat actors or threat intelligence that
comes from the five I's or the United States
1:06:00.350,1:06:00.750
alone.
1:06:00.750,1:06:06.010
We are also dealing with issues that come
from other jurisdictions, other western jurisdictions
1:06:06.010,1:06:13.010
where the sharing of that information is considered,
to put it bluntly, very difficult to do and
1:06:13.020,1:06:18.580
can put you in a lot of hot water. Those issues
have to be addressed if we are going to get
1:06:18.580,1:06:22.860
down to the role where we talk about how do
we make it easier for governments to protect
1:06:22.860,1:06:25.850
the private sector especially when we are
talking about critical infrastructure. Those
1:06:25.850,1:06:28.890
are some of the hurdles we have to address.
If we don't address them at the higher level,
1:06:28.890,1:06:34.900
sharing the information formally at a lower
level is difficult. It happens informally
1:06:34.900,1:06:35.400
now.
1:06:35.400,1:06:42.400
I wouldn't want to leave the panel with the
impression that we do not share information
1:06:42.720,1:06:46.530
because that is certainly not the case. I
personally have worked with all the levels
1:06:46.530,1:06:51.780
of the United States Government on sharing
information about current threats to critical
1:06:51.780,1:06:55.430
infrastructure but it is in an unofficial
capacity because there doesn't exist an official
1:06:55.430,1:06:57.320
capacity in which we can do that.
1:06:57.320,1:06:59.750
[Mr. Tierney] Thank you.
1:06:59.750,1:07:00.080
Thank you, Mr. Chairman.
1:07:00.080,1:07:02.880
[Mr. Chaffetz] I want to thank all the panel
members for their participation today and
1:07:02.880,1:07:06.520
your expertise. If there are additional comments
or information you would like to share with
1:07:06.520,1:07:07.470
us, I would appreciate it.
1:07:07.470,1:07:12.910
Mr. McGurk, if you would commit to this committee
to help us conduct that confidential briefing,
1:07:12.910,1:07:19.910
a classified briefing, I should say, we would
certainly appreciate that. Is that something
1:07:20.910,1:07:21.160
you could commit to?
1:07:20.950,1:07:23.040
[Mr. McGurk] Yes, Mr. Chairman, it would be
my pleasure to help facilitate that.
1:07:23.040,1:07:24.490
[Mr. Chaffetz] That would be great.
1:07:24.490,1:07:31.119
Thank you again for your expertise. This is
a fast moving industry, it changes every moment
1:07:31.119,1:07:35.330
and we appreciate your participation. Thank
you again for your expertise and your comments.
1:07:35.330,1:07:36.480
The committee now stands adjourned.
1:07:36.480,1:07:37.760
[Whereupon, at 4:15 p.m., the subcommittee
was adjourned.]